Staged Publishing Now Generally Available
GitHub has announced the general availability of a new security feature called staged publishing for the npm package registry. This feature requires human approval for every package publication before it becomes available for installation. When a maintainer uses staged publishing, the package tarball is first uploaded to a staging queue. A maintainer must then pass a two-factor authentication challenge to explicitly approve the release, ensuring that no package goes live without verified human intervention. This applies even to packages published through automated CI/CD workflows or trusted publishing using OpenID Connect authentication.
To use staged publishing, maintainers must already have publish access to the package, the package must already exist on the registry, and their account must have two-factor authentication enabled. They can submit a package to the staging area using the command “npm stage publish” from the package root directory. GitHub recommends updating to npm CLI version 11.15.0 or newer to access this command. For maximum security, the company advises combining staged publishing with trusted publishing via OIDC.
New Install Source Permission Flags
In addition to staged publishing, GitHub introduced three new install source permission flags for npm that give developers granular control over where packages can be installed from. The new flags complement the existing –allow-git flag. The –allow-file flag controls installations from local file paths and local tarballs. The –allow-remote flag manages installations from remote URLs, including HTTPS tarballs. The –allow-directory flag controls installations from local directories.
These flags allow developers to apply an explicit allowlist approach to every non registry install source. This means teams can restrict package installations to only approved sources, reducing the risk of inadvertently pulling in malicious code from unexpected locations. The updates come as open source software supply chain attacks continue to surge, with threat actors increasingly targeting package registries to distribute malware to unsuspecting developers and downstream users.
Source: The Hacker News
